diff --git a/bindata/network/ovn-kubernetes/common/80-ipsec-master-extensions.yaml b/bindata/network/ovn-kubernetes/common/80-ipsec-master-extensions.yaml index a432d8bae2..830248503b 100644 --- a/bindata/network/ovn-kubernetes/common/80-ipsec-master-extensions.yaml +++ b/bindata/network/ovn-kubernetes/common/80-ipsec-master-extensions.yaml @@ -20,6 +20,7 @@ spec: [Service] Type=oneshot + ExecStartPre=rm -f /etc/ipsec.d/cno.conf ExecStart=systemctl enable --now ipsec.service [Install] diff --git a/bindata/network/ovn-kubernetes/common/80-ipsec-worker-extensions.yaml b/bindata/network/ovn-kubernetes/common/80-ipsec-worker-extensions.yaml index 43f9a1bbeb..5acb18ef72 100644 --- a/bindata/network/ovn-kubernetes/common/80-ipsec-worker-extensions.yaml +++ b/bindata/network/ovn-kubernetes/common/80-ipsec-worker-extensions.yaml @@ -20,6 +20,7 @@ spec: [Service] Type=oneshot + ExecStartPre=rm -f /etc/ipsec.d/cno.conf ExecStart=systemctl enable --now ipsec.service [Install] diff --git a/bindata/network/ovn-kubernetes/common/ipsec-host.yaml b/bindata/network/ovn-kubernetes/common/ipsec-host.yaml index f0ecd632e3..4d9b882f86 100644 --- a/bindata/network/ovn-kubernetes/common/ipsec-host.yaml +++ b/bindata/network/ovn-kubernetes/common/ipsec-host.yaml @@ -239,38 +239,23 @@ spec: defaultcpinclude="include \/etc\/crypto-policies\/back-ends\/libreswan.config" if ! grep -q "# ${defaultcpinclude}" /etc/ipsec.conf; then sed -i "/${defaultcpinclude}/s/^/# /" /etc/ipsec.conf - fi + # since pluto is on the host, we need to restart it after changing connection + # parameters. + chroot /proc/1/root ipsec restart - # Use /etc/ipsec.d/cno.conf file to write our own default IPsec connection parameters. - # The /etc/ipsec.d/openshift.conf file can not be used because it is managed by openvswitch. - touch /etc/ipsec.d/cno.conf - if ! grep -q "narrowing=yes" /etc/ipsec.d/cno.conf; then - cat < /etc/ipsec.d/cno.conf - # Default IPsec connection parameters rendered by network operator. - # The narrowing=yes is needed to narrow down the proposals exchanged - # by two peers to a mutually acceptable set, otherwise it sometimes - # have traffic hit between peer nodes. - conn %default - narrowing=yes - EOF + counter=0 + until [ -r /run/pluto/pluto.ctl ]; do + counter=$((counter+1)) + sleep 1 + if [ $counter -gt 300 ]; + then + echo "ipsec has not started after $counter seconds" + exit 1 + fi + done + echo "ipsec service is restarted" fi - # since pluto is on the host, we need to restart it after changing connection - # parameters. - chroot /proc/1/root ipsec restart - - counter=0 - until [ -r /run/pluto/pluto.ctl ]; do - counter=$((counter+1)) - sleep 1 - if [ $counter -gt 300 ]; - then - echo "ipsec has not started after $counter seconds" - exit 1 - fi - done - echo "ipsec service is restarted" - # Workaround for https://github.com/libreswan/libreswan/issues/373 ulimit -n 1024 @@ -407,7 +392,7 @@ spec: # When east-west ipsec is not disabled, then do not flush xfrm states and # policies in order to maintain traffic flows during container restart. ipsecflush() { - if [ "$(kubectl get networks.operator.openshift.io cluster -ojsonpath='{.spec.defaultNetwork.ovnKubernetesConfig.ipsecConfig.mode}')" != "Full" ] || \ + if [ "$(kubectl get networks.operator.openshift.io cluster -ojsonpath='{.spec.defaultNetwork.ovnKubernetesConfig.ipsecConfig.mode}')" != "Full" ] && \ [ "$(kubectl get networks.operator.openshift.io cluster -ojsonpath='{.spec.defaultNetwork.ovnKubernetesConfig.ipsecConfig}')" != "{}" ]; then ip x s flush ip x p flush